Digital Identity in Healthcare: What's Coming Down the Pike Lisa Gallagher, BSEE, CISM, CPHIMS, FHIMSS VP, Technology Solutions, HIMSS
Discussion What is the Problem? What is Digital Identity and How Does it Relate to Healthcare? What is NSTIC? The NSTIC CSDII / Inova Healthcare Pilot The Future for Healthcare
What is the Problem? Patient and Provider Data Access - Individuals often need to manage numerous accounts with user names and passwords These types of Access Controls are not sufficient. In fact, A recent study shows that 76% of network intrusions exploited weak or stolen credentials 1 Identity proofing and verification is essential to ensure proper delivery of care and protect privacy 1 Source: 2013 Data Breach Investigations Report, Verizon and US Secret Service
What is a Medical Record? A Medical record is a permanent record that contains identifiable medical information, and is intended for use in decision-making relevant to a patient s health coverage, diagnosis and treatment. Often includes a patient s name, Social Security number, address, insurance number or other identifier that links to an individual. A medical record can be in paper or electronic form and can be maintained by payers, providers and/or business associates.
The Value of Medical Identity Criminals - Use of Medical Identities to commit fraud (for example, to improperly obtain medical goods, services, or pharmaceuticals) or to bill payers (private, Medicare/Medicaid) for such that are never delivered or received. This is more profitable than drugs, prostitution, and other forms of identity theft. Ordinary people Medical identities can easily be shared to obtain medical goods, services or drugs. Thus, the value of such identities can be 20 to 50 times the value of financial records alone.
Types of Medical Identity Theft Medical identity theft refers to the misuse of another individual s PII, such as name, date of birth, SSN, or insurance policy number to obtain or bill for medical services or medical goods. 1 Robin Hood Fraud When an individual knowingly gives a friend or family member information to fraudulently receive healthcare services or goods. 1 - HHS Office of the National Coordinator, Medical Identity Theft Environmental Scan, October 15, 2008,
Risks to Individual Patient Financial Reputation/Credit Report Patient Safety Coverage /Access
Recent Press USA Today Sept. 13, 2014 There is an epidemic of medical identity theft. Mentions: Hacks of Healthcare.gov Healthcare.gov navigators not required to have background checks Community Health System hack by Chinese actors Fortune Aug. 31, 2014 Medical identity theft: How the health care industry is failing us. Healthcare industry is failing to: Detect Mitigate Share information Create sources of threat and incident data
Some Numbers A minimum of 3% of our healthcare spending is fraudulent and abusive 1 ; that translates to over $114 billion* annually to our healthcare system 1 My Math. Medical ID theft is about 3 percent of healthcare fraud overall that translates to $3.4 billion as the cost of medical ID theft to the system as a whole Kaiser Report - In early 2014, the Identity Theft Resource Center produced a survey showing that medical-related identity theft accounted for 43 percent of all identity thefts reported in the United States in 2013. (This is stated poorly actual ITRC report states that this is percentage of breaches.) 1 Source NHCAA (National Healthcare Anti-Fraud Association) * - I ve seen estimates of $80 Bilion to $230 Billion
Unique Challenge for Healthcare: Patient Data/Record Matching Patient Data Matching is the task of identifying, matching, and/or merging records that belong to the same patient that are currently store in multiple applications or databases. Problem Statement: Today there exists no safe and effective way to identify and accurately link patients with their clinical data.
Patient Data Matching - Challenges A 2008 Rand Corporation Study 1 estimated that 8%-10% of EMRs contain errors related to matching patients with their data. A 2009 HIMSS White Paper 2 documented nine factors that contribute to/influence current error rates. In the near term, consistent patient data-matching strategy is absolutely essential to obtaining the full benefits of health information technology, controlling costs, and ensuring patient safety. A 2012 HIMSS White Paper provides Measures and Key Attributes for
Work on Patient Data Matching Near Term Industry improve current matching algorithms HIMSS address future matching across HIEs/data exchange HIMSS Innovator-in-Residence Project with HHS and industry Long Term Migration to use of Multi-factor, Multi-Level-of-Assurance Digital Identity
HIMSS Innovator-In-Residence Project IIR is Embedded at HHS Office of CTO, and ONC Project Work on Data Quality Joint industry project (with WEDI, MGMA, others) on a Virtual Clipboard Test Open Algorithms against Gold Standard Data Set Validate using both Real and Synthetic Data Sets Set benchmark and reduce variables Create permanent test bed
Future Use of Digital Identity Migration to use of Multi-factor, Multi-Level-of-Assurance Digital Identity Work within the strategy being Developed by the National Strategy for Trusted Identities in Cyberspace (NSTIC) Project
What is Digital Identity? http://en.wikipedia.org/wiki/identity_management
What is Digital Identity? http://en.wikipedia.org/wiki/identity_management
Identity Management is Evolving - Gartner Predictions 1 : 1. Every user is a consumer. 2. A competitive marketplace for identity services is evolving. 3. We will see the death of "least privilege. 4. Legacy pricing models will radically change. 5. Context-based attributes will be the dominant mechanism for access control 6. Identity analytics and intelligence (IAI) tools will deliver direct business value 7. The Internet of Things will redefine the concept of "identity management" to include what people own, share, and use. 1 Fontana, J., Seven ways identity, access management will change in the enterprise, http://www.zdnet.com/seven-ways-identity-access-management-will-change-in-the-enterprise-7000023382/
Identity Management in Healthcare Creation and management of individual digital identity for both providers and patients (and computing assets) For Providers (and all who require access to data), used for Authentication, Access Control and Audit For patients, used for the above, but this will also help with: Identifying the same individual across health care organizations using the attributes /identifier(s) specified as part of the identity
What is NSTIC? Called for in President s Cyberspace Policy Review (May 2009): a cybersecurity focused identity management vision and strategy that addresses privacy and civil-liberties interests, leveraging privacy-enhancing technologies for the nation. National Strategy for Trusted Identities in Cyberspace NSTIC calls for a National Identity Ecosystem Guiding Principles Privacy-Enhancing and Voluntary Secure and Resilient Interoperable Cost-Effective and Easy To Use Calls for: an online environment where individuals and organizations will be able to trust each other because they follow agreed upon standards to obtain and authenticate their digital identities. 1 Source: Jeremy Grant, Senior Executive Advisor, Identity Management, National Strategy for Trusted Identities in Cyberspace (NSTIC), National Institute of Standards and Technology (NIST), HIMSS Annual Conference 2014, Session #78
NSTIC Healthcare Pilot 1 Cloud Based Strong Credentials + Privacy Barrier 1 Source: Dr. Marshall Ruffin, Chief Technology Officer, Inova Healthcare HIMSS Annual Conference 2014 Session #78
What We Learned from the Healthcare Pilot Use of Digital Credentials provides the following benefits 1 : Increased Security Enhanced Privacy Reduced Cost Ability to leverage multiple credential types (incl. 3 rd party credentials) Consistent authentication mechanism Decreased administrative and maintenance overhead Positive perception to patients and providers 1 Source: Dr. Marshall Ruffin, Chief Technology Officer, Inova Healthcare HIMSS Annual Conference 2014 Session #78
What Does All of This Mean? In the immediate future, we will be able to: Create and Use a Multi-factor, Multi-level of Assurance Digital Identity for a patient (consumer) Link Patient Records using better quality data elements and with better assurance In the near future, we will migrate to use of Trustmarks or Componentized Trust : Patient Identity Communication of Trust Across Trust Frameworks: Hospital to Hospital HIE to HIE, etc.
How will this help with Medical Identity Theft? Strong Authentication Prevents inappropriate access Including Identity Proofing - Patient authentication includes ensuring that patients receiving services are the individuals they claim to be. Technology Solutions Digital Identity, deployed by/using: Digital Identity services Biometrics Smart chips (embedded in cell phones) Smart cards 1 - Booz Allen Hamilton, Medical Identity Final Report, prepared for U.S. Department of Health and Human Services, January 15, 2009, Page 16
QUESTIONS?
Lisa Gallagher, BSEE, CISM, CPHIMS, FHIMSS VP, Technology Solutions, HIMSS @LGallagherHIMSS